Re: Running Web Servers In A Chroot Jail



On Sat, 20 Mar 2010 09:08:03 GMT, markhobley@xxxxxxxxxxxxxxxxxxxxxxxxxxx (Mark Hobley) wrote:

Artist <artist@xxxxxxxxxxxxxxxx> wrote:
So I want to know how important it is to run a web server in a jail, and
how prevalent jailing it is.

It depends on which webserver you are running, and how secure your cgi scripts
are. You probably need to do a code audit to determine this at this time.

Trouble is, how does a newbie know quality from crap information?

I think they're aware of security as an abstract notion, but until
their site gets hacked they don't really focus on the details.

PHP is convenient, but it allows laziness and thus tends to encourage
security breaches.

Running a server in a chroot jail seems like damage containment rather
than prevention, no?

I run http and ftp servers here, both are secure and neither offer any
user/pass logins. Glancing through the logs can be an education.

Grant.
.